BUG/MINOR: ssl/cli: sni_ctx' mustn't always be used as filters Since commit 244b070 ("MINOR: ssl/cli: support crt-list filters"), HAProxy generates a list of filters based on the sni_ctx in memory. However it's not always relevant, sometimes no filters were configured and the CN/SAN in the new certificate are not the same. This patch fixes the issue by using a flag filters in the ckch_inst, so we are able to know if there were filters or not. In the late case it uses the CN/SAN of the new certificate to generate the sni_ctx. note: filters are still only used in the crt-list atm.

commit: 6763016866721a5c27b6a481783490e3c1692f8b [log] [tgz]
author: William Lallemand <wlallemand@haproxy.com> Mon Mar 09 16:56:39 2020 +0100
committer: William Lallemand <wlallemand@haproxy.org> Mon Mar 09 17:32:04 2020 +0100
tree: 5acb3ed61038e238d705f59eb6dda42025df6e64
parent: 0a52846603507411b6e6391448876dfc26c02499 [diff] [blame]
diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index 716be89..b010448 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h

@@ -129,6 +129,7 @@
 	struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
 	struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
 	struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
+	unsigned int filters:1; /* using sni filters ? */
 	unsigned int is_default:1;      /* This instance is used as the default ctx for this bind_conf */
 	/* space for more flag there */
 	struct list sni_ctx; /* list of sni_ctx using this ckch_inst */
commit	6763016866721a5c27b6a481783490e3c1692f8b	[log] [tgz]
author	William Lallemand <wlallemand@haproxy.com>	Mon Mar 09 16:56:39 2020 +0100
committer	William Lallemand <wlallemand@haproxy.org>	Mon Mar 09 17:32:04 2020 +0100
tree	5acb3ed61038e238d705f59eb6dda42025df6e64
parent	0a52846603507411b6e6391448876dfc26c02499 [diff] [blame]